Jump to content


Photo

Started as PC issue, turned into Spyware/Virus one...


  • This topic is locked This topic is locked
43 replies to this topic

#1 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 30 June 2007 - 03:53 PM

This might seem to be in the wrong Forum by the sound of the start of it, but it develops, and hopefully I have it in the right Forum after all :unsure:

Started getting "The instruction at " " referenced memory at " ". The memory could not be "read". Click OK..." This happens a lot at startup for programs that do auto updates over the internet, including Windows XP. Also happens with almost any program I open or close, including Windows Explorer.
Did hardware tests, and no solution (switched out RAM), then started to scan for software problems. Found the usual array of Tracking Cookies, and a couple other things...

I use Firefox and Thunderbird almost exclusively, except for sites that require Windows IE, i.e. Windows update. Sometimes, when I start up Firefox, an IE window pops up leading me to some site, almost different every time, so I dont know where to as I shut them immediately.

Followed the FAQ, below are the results...

Ad-Aware and Spybot both done.

AVG log here...

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:04:22 PM 30/06/2007

+ Scan result:



:mozilla.60:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.61:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.62:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.63:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.64:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Me\Cookies\me@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Me\Cookies\me@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.81:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.225:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Me\Cookies\me@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.31:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.41:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.42:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.79:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.80:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.19:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.20:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.21:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.22:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.109:C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\8u6u4htv.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\BCVNVG1J\antzom[1].exe -> Trojan.Dialer.qn : Cleaned.
C:\WINDOWS\Temp\win120.tmp.exe -> Trojan.Dialer.qn : Cleaned.


::Report end

HiJackThis then done, log here...

Logfile of HijackThis v1.99.1
Scan saved at 1:15:41 PM, on 30/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AdAware\aawservice.exe
D:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\LVCOMSX.EXE
D:\QuickCam\LogiTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
D:\QuickCam\FxSvr2.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\iTunes\iTunes.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\MOZILL~1\FIREFOX.EXE
D:\QuickCam\AlbumDB2.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe
O4 - HKLM\..\Run: [xiladgte.exe] C:\Documents and Settings\All Users\Application Data\xiladgte.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\sotnoeqf.dll",forkonce
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative....026/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1169066930140
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw...ine/install.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative....15029/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\AdAware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

As a side, typing this Topic, a new browser tab opened leading me to "SystemDoctor" and asked if I wanted my system cleaned etc...

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 03 July 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 07 July 2007 - 09:53 PM

Welcome to the forum :wave:

I apologize for the delay getting to you, the helpers here are all volunteers and we have been very busy here lately.


Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Save it to a convenient place.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with the following.
1. Combofix log
2. A fresh HijackThis log
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#4 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 08 July 2007 - 01:15 AM

Thanks for the reply. I understand that this service is volunteer based, so it's no problem how long it takes :-)

Ok, here's what happened...and this hadn't happened until the following...

I checked my e-mail, clicked link to your reply, and Firefox couldn't find the SWI server. Retried, still no luck, repeat. Went to my Bookmark of the FAQ for this site, and still no server, then finally found it. Reclicked link in email to get to your reply, and voila, there it is. I downloaded "ComboFix", and immediately, Spybot went nuts...every second, for the entire duration of the ComboFix scan, Spybot was denying a registry change that had to do with "About:Blank" as far as I could tell. My Panda Antivirus was also joining in the fun, and denying the same stuff, but not as frequently. Anyway, ComboFix was taking forever, i.e. 1/2 to reboot Windows to complete "the disinfection". Meanwhile, Spybot is still going ballistic. I chose to reboot manually. Upon reboot, Spybot again started to go crazy, but this time it was denying registry changes for "Category: Browser Helper Object, Change: Value deleted, Entry: {a whole bunch of letters and numbers}". This was every second as well. I left a window open that said "Spybot - Search & Destroy has detected an important registry entry that has been changed." and the above info was listed, but Spybot wasn't denying anything anymore until I closed that window.

Anyway, I have the ComboFix log here....

"Me" - 2007-07-07 22:46:37 - ComboFix 07-07-07.3 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


2007-07-07 22:07 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 12:21 4,672 --a------ C:\WINDOWS\system32\hcsrdmgr.exe
2007-07-06 12:20 4,672 --a------ C:\WINDOWS\system32\uselybxt.exe
2007-07-05 12:19 4,672 --a------ C:\WINDOWS\system32\hvaknljp.exe
2007-07-04 12:18 4,672 --a------ C:\WINDOWS\system32\ondvxhgv.exe
2007-07-03 09:55 4,672 --a------ C:\WINDOWS\system32\rpwiosnb.exe
2007-07-02 09:17 <DIR> d-------- C:\Program Files\iPod
2007-07-02 09:14 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-02 09:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-28 17:06 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-28 10:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-28 10:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-27 21:44 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2007-06-27 21:44 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2007-06-27 21:44 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2007-06-27 21:44 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2007-06-27 21:44 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2007-06-27 21:44 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2007-06-27 21:44 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2007-06-27 21:44 372,736 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-27 21:44 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2007-06-27 21:44 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2007-06-27 21:44 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2007-06-27 21:44 22,016 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-27 21:44 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2007-06-27 21:44 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2007-06-27 21:44 204,800 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-06-27 21:44 204,800 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-27 21:44 2,180,096 --a------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-06-27 21:44 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2007-06-27 21:44 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2007-06-27 21:44 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2007-06-27 21:44 106,496 --a------ C:\WINDOWS\system32\lvcoinst.dll
2007-06-27 21:44 1,317,152 --a------ C:\WINDOWS\system32\drivers\lvcm.sys
2007-06-27 20:03 <DIR> d-------- C:\DOCUME~1\Me\APPLIC~1\Uniblue
2007-06-27 17:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-27 15:38 <DIR> d-------- C:\VundoFix Backups
2007-06-27 14:58 <DIR> d-------- C:\WINDOWS\system32\nkwncvkg
2007-06-27 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-27 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-06-27 13:54 <DIR> d-------- C:\Program Files\Bonjour
2007-06-27 13:35 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-20 11:25 <DIR> d-------- C:\WINDOWS\pss
2007-06-14 11:16 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-14 11:16 <DIR> d-------- C:\WINDOWS\MVUNINST
2007-06-14 11:16 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-11 12:04 <DIR> d-------- C:\DOCUME~1\Me\Contacts
2007-06-11 12:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-06-11 12:02 <DIR> d-------- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 05:42:36 -------- d-----w C:\DOCUME~1\Me\APPLIC~1\WTablet
2007-07-08 05:03:56 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-07-01 01:05:24 5,718 ----a-w C:\WINDOWS\mozver.dat
2007-06-28 04:44:19 -------- d-----w C:\Program Files\Common Files\Logitech
2007-06-28 04:44:06 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-28 04:42:54 -------- d-----w C:\Program Files\Logitech
2007-06-28 03:43:08 -------- d-----w C:\Program Files\HP
2007-06-25 20:50:05 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-15 15:38:38 -------- d-----w C:\Program Files\NCH Swift Sound
2007-06-14 03:10:39 -------- d-----w C:\Program Files\Creative
2007-06-06 23:46:37 -------- d-----w C:\Program Files\FTP Commander
2007-06-06 16:35:49 -------- d-----w C:\DOCUME~1\Me\APPLIC~1\Google
2007-06-06 16:35:13 -------- d-----w C:\Program Files\Google
2007-06-04 23:02:02 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-14 18:40:54 -------- d-----w C:\Program Files\ATI Technologies
2007-05-03 15:39:56 261 ----a-w C:\WINDOWS\system32\PavCPL.dat
2007-04-27 22:05:38 79,659 ----a-w C:\WINDOWS\hpfins05.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 00:04:26 292,400 ----a-w C:\WINDOWS\system32\PavSHook.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-02-20 20:37:42 8 --sh--r C:\WINDOWS\system32\80C8BA769E.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ D:\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C670FD71-BDE3-441A-9E63-F996E3C1E035}]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E125205A-23E8-48D7-A7F2-D9DB06B5EBB9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechVideoRepair"="D:\QuickCam\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="D:\QuickCam\LogiTray.exe" [2005-06-08 15:14]
"xiladgte.exe"="C:\Documents and Settings\All Users\Application Data\xiladgte.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"LogitechSoftwareUpdate"="D:\QuickCam\ManifestEngine.exe" [2005-06-08 14:44]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="D:\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtst]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkhefc]
jkkhefc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]



Contents of the 'Scheduled Tasks' folder
2007-07-02 16:33:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 22:51:29
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-07 22:53:44
C:\ComboFix-quarantined-files.txt ... 2007-07-07 22:53

--- E O F ---

and the new HiJackThis log here...

Logfile of HijackThis v1.99.1
Scan saved at 11:06:30 PM, on 07/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AdAware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\QuickCam\LogiTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
D:\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
D:\QuickCam\FxSvr2.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\ApvxdWin.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
C:\WINDOWS\explorer.exe
D:\iTunes\iTunes.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Mozilla Firefox\firefox.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C670FD71-BDE3-441A-9E63-F996E3C1E035} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {E125205A-23E8-48D7-A7F2-D9DB06B5EBB9} - (no file)
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe
O4 - HKLM\..\Run: [xiladgte.exe] C:\Documents and Settings\All Users\Application Data\xiladgte.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative....026/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1169066930140
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw...ine/install.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative....15029/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll (file missing)
O20 - Winlogon Notify: jkkhefc - jkkhefc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

Thanks again for any and all help :-)

#5 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 08 July 2007 - 10:53 AM

Sorry about the rough time you had. Here is the situation Spybot is preventing registry changes, which is normally a good thing, because it keeps the bad entries out, but in this case it is trapping the bad entries in the computer.

[*]Please temporarily disable TeaTimer (part of Spybot) by doing the following (It tends to interfere with our fixes you can re-enable it when you are clean):
  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
If Panda is going to interfere you may have to disconnect from the internet and turn Panda's active protection off as well, but usually if you just tell it to allow or ignore, it will be ok. If you turn Panda off be sure to turn it back on after the scan is finished.

Please re-run ComboFix and post the log. It should be faster and less troublesome without Spybot interfering.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#6 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 08 July 2007 - 11:19 AM

Ok, disabled TeaTimer, and re-ran ComboFix. I forgot to mention this last time, but when I ran ComboFix earlier, and this time as well, Panda popped up a window that it detected some malicious software and blocked it's action...should I disable Panda and rerun ComboFix then post that log as well?

Either way, here is the most recent log...

"Me" - 2007-07-08 9:10:16 - ComboFix 07-07-07.3 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


2007-07-07 22:07 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 12:21 4,672 --a------ C:\WINDOWS\system32\hcsrdmgr.exe
2007-07-06 12:20 4,672 --a------ C:\WINDOWS\system32\uselybxt.exe
2007-07-05 12:19 4,672 --a------ C:\WINDOWS\system32\hvaknljp.exe
2007-07-04 12:18 4,672 --a------ C:\WINDOWS\system32\ondvxhgv.exe
2007-07-03 09:55 4,672 --a------ C:\WINDOWS\system32\rpwiosnb.exe
2007-07-02 09:17 <DIR> d-------- C:\Program Files\iPod
2007-07-02 09:14 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-02 09:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-28 10:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-28 10:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-27 21:44 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2007-06-27 21:44 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2007-06-27 21:44 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2007-06-27 21:44 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2007-06-27 21:44 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2007-06-27 21:44 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2007-06-27 21:44 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2007-06-27 21:44 372,736 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-27 21:44 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2007-06-27 21:44 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2007-06-27 21:44 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2007-06-27 21:44 22,016 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-27 21:44 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2007-06-27 21:44 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2007-06-27 21:44 204,800 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-06-27 21:44 204,800 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-27 21:44 2,180,096 --a------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-06-27 21:44 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2007-06-27 21:44 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2007-06-27 21:44 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2007-06-27 21:44 106,496 --a------ C:\WINDOWS\system32\lvcoinst.dll
2007-06-27 21:44 1,317,152 --a------ C:\WINDOWS\system32\drivers\lvcm.sys
2007-06-27 20:03 <DIR> d-------- C:\DOCUME~1\Me\APPLIC~1\Uniblue
2007-06-27 17:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-27 15:38 <DIR> d-------- C:\VundoFix Backups
2007-06-27 14:58 <DIR> d-------- C:\WINDOWS\system32\nkwncvkg
2007-06-27 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-27 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-06-27 13:54 <DIR> d-------- C:\Program Files\Bonjour
2007-06-27 13:35 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-20 11:25 <DIR> d-------- C:\WINDOWS\pss
2007-06-14 11:16 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-14 11:16 <DIR> d-------- C:\WINDOWS\MVUNINST
2007-06-14 11:16 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-11 12:04 <DIR> d-------- C:\DOCUME~1\Me\Contacts
2007-06-11 12:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-06-11 12:02 <DIR> d-------- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 15:57:59 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-07-08 15:13:49 -------- d-----w C:\DOCUME~1\Me\APPLIC~1\WTablet
2007-07-01 01:05:24 5,718 ----a-w C:\WINDOWS\mozver.dat
2007-06-28 04:44:19 -------- d-----w C:\Program Files\Common Files\Logitech
2007-06-28 04:44:06 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-28 04:42:54 -------- d-----w C:\Program Files\Logitech
2007-06-28 03:43:08 -------- d-----w C:\Program Files\HP
2007-06-25 20:50:05 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-15 15:38:38 -------- d-----w C:\Program Files\NCH Swift Sound
2007-06-14 03:10:39 -------- d-----w C:\Program Files\Creative
2007-06-06 23:46:37 -------- d-----w C:\Program Files\FTP Commander
2007-06-06 16:35:49 -------- d-----w C:\DOCUME~1\Me\APPLIC~1\Google
2007-06-06 16:35:13 -------- d-----w C:\Program Files\Google
2007-06-04 23:02:02 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-14 18:40:54 -------- d-----w C:\Program Files\ATI Technologies
2007-05-03 15:39:56 261 ----a-w C:\WINDOWS\system32\PavCPL.dat
2007-04-27 22:05:38 79,659 ----a-w C:\WINDOWS\hpfins05.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 00:04:26 292,400 ----a-w C:\WINDOWS\system32\PavSHook.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-02-20 20:37:42 8 --sh--r C:\WINDOWS\system32\80C8BA769E.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ D:\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechVideoRepair"="D:\QuickCam\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="D:\QuickCam\LogiTray.exe" [2005-06-08 15:14]
"xiladgte.exe"="C:\Documents and Settings\All Users\Application Data\xiladgte.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"LogitechSoftwareUpdate"="D:\QuickCam\ManifestEngine.exe" [2005-06-08 14:44]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtst]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkhefc]
jkkhefc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]



Contents of the 'Scheduled Tasks' folder
2007-07-02 16:33:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 09:13:41
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-08 9:14:29
C:\ComboFix-quarantined-files.txt ... 2007-07-08 09:14
C:\ComboFix2.txt ... 2007-07-07 22:53

--- E O F ---


Thanks again :D

#7 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 08 July 2007 - 11:30 AM

Yes, if you could disable Panda and try one more time. If that does not work we will try something else.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#8 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 08 July 2007 - 02:03 PM

Ok, I had to uninstall Panda completely, as it seems there is part of it still active even after I thought I disabled everything :hmmm: Then I rebooted, and disconnected from the internet and ran ComboFix again...

Here's the log...

"Me" - 2007-07-08 11:20:53 - ComboFix 07-07-07.3 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


2007-07-07 22:07 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-07 12:21 4,672 --a------ C:\WINDOWS\system32\hcsrdmgr.exe
2007-07-06 12:20 4,672 --a------ C:\WINDOWS\system32\uselybxt.exe
2007-07-05 12:19 4,672 --a------ C:\WINDOWS\system32\hvaknljp.exe
2007-07-04 12:18 4,672 --a------ C:\WINDOWS\system32\ondvxhgv.exe
2007-07-03 09:55 4,672 --a------ C:\WINDOWS\system32\rpwiosnb.exe
2007-07-02 09:17 <DIR> d-------- C:\Program Files\iPod
2007-07-02 09:14 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-02 09:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-28 10:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-28 10:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-27 21:44 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2007-06-27 21:44 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2007-06-27 21:44 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2007-06-27 21:44 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2007-06-27 21:44 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2007-06-27 21:44 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2007-06-27 21:44 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2007-06-27 21:44 372,736 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-27 21:44 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2007-06-27 21:44 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2007-06-27 21:44 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2007-06-27 21:44 22,016 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-27 21:44 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2007-06-27 21:44 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2007-06-27 21:44 204,800 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-06-27 21:44 204,800 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-27 21:44 2,180,096 --a------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2007-06-27 21:44 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2007-06-27 21:44 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2007-06-27 21:44 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2007-06-27 21:44 106,496 --a------ C:\WINDOWS\system32\lvcoinst.dll
2007-06-27 21:44 1,317,152 --a------ C:\WINDOWS\system32\drivers\lvcm.sys
2007-06-27 20:03 <DIR> d-------- C:\DOCUME~1\Me\APPLIC~1\Uniblue
2007-06-27 17:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-27 15:38 <DIR> d-------- C:\VundoFix Backups
2007-06-27 14:58 <DIR> d-------- C:\WINDOWS\system32\nkwncvkg
2007-06-27 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-27 13:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-06-27 13:54 <DIR> d-------- C:\Program Files\Bonjour
2007-06-27 13:35 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-20 11:25 <DIR> d-------- C:\WINDOWS\pss
2007-06-14 11:16 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-06-14 11:16 <DIR> d-------- C:\WINDOWS\MVUNINST
2007-06-14 11:16 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-11 12:04 <DIR> d-------- C:\DOCUME~1\Me\Contacts
2007-06-11 12:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-06-11 12:02 <DIR> d-------- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-08 18:19:38 -------- d-----w C:\DOCUME~1\Me\APPLIC~1\WTablet
2007-07-08 18:19:08 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-08 18:19:06 -------- d-----w C:\Program Files\Common Files\Panda Software
2007-07-08 17:32:33 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-07-01 01:05:24 5,718 ----a-w C:\WINDOWS\mozver.dat
2007-06-28 04:44:19 -------- d-----w C:\Program Files\Common Files\Logitech
2007-06-28 04:42:54 -------- d-----w C:\Program Files\Logitech
2007-06-28 03:43:08 -------- d-----w C:\Program Files\HP
2007-06-25 20:50:05 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-15 15:38:38 -------- d-----w C:\Program Files\NCH Swift Sound
2007-06-14 03:10:39 -------- d-----w C:\Program Files\Creative
2007-06-06 23:46:37 -------- d-----w C:\Program Files\FTP Commander
2007-06-06 16:35:49 -------- d-----w C:\DOCUME~1\Me\APPLIC~1\Google
2007-06-06 16:35:13 -------- d-----w C:\Program Files\Google
2007-06-04 23:02:02 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-14 18:40:54 -------- d-----w C:\Program Files\ATI Technologies
2007-04-27 22:05:38 79,659 ----a-w C:\WINDOWS\hpfins05.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-02-20 20:37:42 8 --sh--r C:\WINDOWS\system32\80C8BA769E.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ D:\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechVideoRepair"="D:\QuickCam\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="D:\QuickCam\LogiTray.exe" [2005-06-08 15:14]
"xiladgte.exe"="C:\Documents and Settings\All Users\Application Data\xiladgte.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"LogitechSoftwareUpdate"="D:\QuickCam\ManifestEngine.exe" [2005-06-08 14:44]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtst]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkhefc]
jkkhefc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]



Contents of the 'Scheduled Tasks' folder
2007-07-02 16:33:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 11:23:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-08 11:24:00
C:\ComboFix-quarantined-files.txt ... 2007-07-08 11:23

--- E O F ---

I have reinstalled Panda.

Thanks :D

#9 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 08 July 2007 - 04:39 PM

Can you post a fresh HijackThis log please.

Thanks
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#10 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 08 July 2007 - 04:43 PM

Here you go...

Logfile of HijackThis v1.99.1
Scan saved at 2:43:39 PM, on 08/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda2007\pavsrv51.exe
D:\Program Files\Panda2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda2007\TPSrv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AdAware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Panda2007\PsCtrls.exe
D:\Program Files\Panda2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
D:\Program Files\Panda2007\AntiSpam\pskmssvc.exe
d:\program files\panda2007\firewall\PSHOST.EXE
D:\QuickCam\LogiTray.exe
D:\Program Files\Panda2007\PsImSvc.exe
D:\Program Files\Panda2007\APVXDWIN.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\LVComsX.exe
D:\QuickCam\FxSvr2.exe
D:\Program Files\Panda2007\SRVLOAD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Panda2007\WebProxy.exe
D:\Program Files\Panda2007\PavBckPT.exe
D:\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
D:\MOZILL~1\FIREFOX.EXE
D:\QuickCam\AlbumDB2.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe
O4 - HKLM\..\Run: [xiladgte.exe] C:\Documents and Settings\All Users\Application Data\xiladgte.exe
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "D:\Program Files\Panda2007\Inicio.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative....026/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1169066930140
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw...ine/install.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative....15029/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll (file missing)
O20 - Winlogon Notify: jkkhefc - jkkhefc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Software Controller - Panda Software International - D:\Program Files\Panda2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Program Files\Panda2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program Files\Panda2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - D:\Program Files\Panda2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\program files\panda2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Program Files\Panda2007\PsImSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - D:\Program Files\Panda2007\TPSrv.exe

#11 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 08 July 2007 - 07:11 PM

It looks like we are making progress now.

[*]Run HijackThis, Choose "Do a system scan only" and checkmark the box next to the following entries.R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [xiladgte.exe] C:\Documents and Settings\All Users\Application Data\xiladgte.exe
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll (file missing)
O20 - Winlogon Notify: jkkhefc - jkkhefc.dll (file missing)
[*]Close all other windows and browsers, then click "Fix Checked".


[*]Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    C:\WINDOWS\system32\hcsrdmgr.exe
    C:\WINDOWS\system32\uselybxt.exe
    C:\WINDOWS\system32\hvaknljp.exe
    C:\WINDOWS\system32\ondvxhgv.exe
    C:\WINDOWS\system32\rpwiosnb.exe
    C:\WINDOWS\system32\80C8BA769E.sys
    C:\Documents and Settings\All Users\Application Data\xiladgte.exe


  • Then click the red Moveit! button below.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.

Then, after reboot (in case it asked to reboot), go to next folder: C:\OTMoveIt\MovedFiles and search for the log: ********_******.log (the * stands for date and time) and post the contents of it in your next reply with a fresh HijackThis log.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#12 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 09 July 2007 - 12:45 AM

OTMoveIt log below...

C:\WINDOWS\system32\hcsrdmgr.exe moved successfully.
C:\WINDOWS\system32\uselybxt.exe moved successfully.
C:\WINDOWS\system32\hvaknljp.exe moved successfully.
C:\WINDOWS\system32\ondvxhgv.exe moved successfully.
C:\WINDOWS\system32\rpwiosnb.exe moved successfully.
C:\WINDOWS\system32\80C8BA769E.sys moved successfully.
File/Folder C:\Documents and Settings\All Users\Application Data\xiladgte.exe not found.

Created on 07/08/2007 22:40:42

Wasn't asked to reboot after OTMoveIt was done.


and new HiJackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 10:41:27 PM, on 08/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda2007\pavsrv51.exe
D:\Program Files\Panda2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda2007\TPSrv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AdAware\aawservice.exe
D:\QuickCam\LogiTray.exe
D:\Program Files\Panda2007\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Panda2007\PsCtrls.exe
D:\Program Files\Panda2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
D:\Program Files\Panda2007\AntiSpam\pskmssvc.exe
C:\WINDOWS\system32\LVComsX.exe
D:\QuickCam\FxSvr2.exe
d:\program files\panda2007\firewall\PSHOST.EXE
D:\Program Files\Panda2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Panda2007\SRVLOAD.EXE
D:\Program Files\Panda2007\WebProxy.exe
D:\Program Files\Panda2007\PavBckPT.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\QuickCam\AlbumDB2.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\QuickCam\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\QuickCam\LogiTray.exe
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "D:\Program Files\Panda2007\Inicio.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\QuickCam\ManifestEngine.exe boot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative....026/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1169066930140
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw...ine/install.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative....15029/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Software Controller - Panda Software International - D:\Program Files\Panda2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Program Files\Panda2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program Files\Panda2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - D:\Program Files\Panda2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\program files\panda2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Program Files\Panda2007\PsImSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - D:\Program Files\Panda2007\TPSrv.exe



Thanks again for all your input so far :-)

Edited by Squidolin, 09 July 2007 - 12:47 AM.


#13 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 09 July 2007 - 07:09 AM

Thats looking better how is your computer working now? Are we still getting the popups from IE? And what about the memory errors?
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#14 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 09 July 2007 - 10:48 AM

It seems to be running better for sure. No more pop ups from IE. However, I do get a little warning balloon pop up from the task bar, but it goes away so fast, I have no idea what it says. If I do somehow get it to stay on long enough, I can post it for you, but I can't guarantee that I'll be able to read it.

The memory errors I still get unfortunately, so I think that is an entirely different problem. In fact, it was the original problem, (I might try to "fix" Windows with the disk, because I've also lost the ability to change the look of Windows XP. What I mean is, I am in "Classic" mode now, but when I try to switch it to "Windows XP" theme, nothing happens, and I believe that is related to the error messages.) and my not knowing how to fix it got me into the other problems which you helped me fix.

Thanks a ton for that.

#15 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 09 July 2007 - 12:01 PM

I managed to see what the warning bubble said...

"Your computer may be at risk. To solve this problem, click here"

It's not a regular Windows warning message, but just looks like one, and it looks as if Panda is taking care of it on it's own, but it pops up fairly frequently.

#16 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 09 July 2007 - 09:12 PM

Does the "Your computer may be at risk. To solve this problem, click here" only popup when your restart your computer? and then go away after a minute or so?


Have you tried the restore themes fix from Kelly's Korner? If not, I would try that.

http://www.kellys-ko...m/xp_tweaks.htm

Download the regfix at number 187 also download the Restore luna theme next to it. Extract the zipped resources folder to your desktop then copy the extracted resources folder (unzipped copy) into your c:\Windows folder. If prompted to overwrite say yes. Reboot and try to change themes if that does not work run the regfix you downloaded previously by double clicking it and choosing yes to merge it with the registry. Reboot and test again.

Let me know what happens.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#17 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 09 July 2007 - 11:19 PM

The "Your computer..." popped up about every 15 minutes or so. I've just booted my machine from having it off for a while, and so far no warnings. I'll try the fix from Kelly's Korner, thank you for that suggestion.

You'll have to remind me which regfix I downloaded, sorry...been downloading a lot of files last few days hehehe.

Will try what you suggest and let you know.

#18 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 09 July 2007 - 11:24 PM

Double post...sorry...but did just get the popup warning as I am editing this :-(

Since I have this post made already, I'll add to it...

I have my Windows XP Theme back, thank you. The line at 187 on Kelly's Korner just opened up a new page with a bunch of text, so I ignored it, and downloaded the Restore Luna file and extracted it directly into my C:\Windows, reboot, and that problem is solved.

Also, for fun, I ran SpyBot again, and it found only 2 errors...

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

Could this be related to my popup problem, which still exists by the way :-(

Plus, in my HiJackThis logs, I have no idea what "O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S" is or where I got it from...is it part of Windows or another program I am running?

Thanks so much for your time and effort so far, I very much appreciate it.

Edited by Squidolin, 10 July 2007 - 12:23 AM.


#19 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 10 July 2007 - 06:27 PM

It looks like you installed the Uniblue Registry Booster on 6/27 a few hours after you installed Spybot. You should be able to uninstall it via the Add or Remove Control panel.

2007-06-27 20:03 <DIR> d-------- C:\DOCUME~1\Me\APPLIC~1\Uniblue

I do not have any experience with Panda, but if it is similar to Norton you should leave these entries alone:

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

If you have already fixed them you should put the entries back. With Norton if you fix those entries then Windows will give you messages every time the firewall or anti-virus updates or turns off for a second. Norton does better if let it handle the messages instead of windows.

Have you done all the program updates for Panda since you reinstalled it? If not I would start with that. If the CD for Panda that you have is pre Windows Service Pack 2 (SP2) then there is probably a compatibility update that you need to do so Panda will handle the messaging instead of windows. With Norton it is called the WMI update, it may be called something similar but should install if you do all the program updates not just the signature updates.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#20 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 10 July 2007 - 07:13 PM

Yes, I keep Panda updated all the time.

So far today, I've had none of those popups, which is good, thank you for everything. Now I just have to figure out why I get all the Memory Errors, and hopefully I won't run into the same problems that we just cured :D

I'll leave those Registry Entries alone then.

I can't see that Uniblue in Add/Remove Programs, I'll try to find it another way.

Again, thanks for all your help.

Edited by Squidolin, 10 July 2007 - 07:15 PM.


#21 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 10 July 2007 - 07:16 PM

See if you can get me the exact wording of one of the memory errors and I will let you know if I have any ideas.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#22 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 10 July 2007 - 07:41 PM

"The instruction @ "0x00401613" referenced memory @ "0x00006678". The memory could not be "read". Click on OK to terminate the program"

This happens when I boot up the computer and WGA_Tray and ManifestEngine (both auto update programs for stuff I have installed) try to run. It also happens when my Panda Auto Update is trying to run. When I open "Windows Explorer" (I don't use "My Computer", don't ask why, been too long hehehe), I get the same message, and the .exe file in the title bar is "explorer.exe". When I try to update Windows, it downloads the file to a certain percent, then I get the error for "update.exe", then I click OK and the update is failed, for each update trying to download/install i.e. 4 updates, 4 errors. A couple errors pop up when I shut my computer down. Also, when I close a program, like Quicktime, I get the error. It always reads the same, but of course different .exe files in the title bar, and the memory addresses are not the same. I've already done the hardware tests, and it isn't the RAM itself.

Windows has a solution for when the memory could not be "written", but nothing about "read".

#23 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 10 July 2007 - 08:14 PM

You know, I think I would run System File Checker. We already know Luna was missing or corrupt, who is to say what else is missing/corrupt that could be causing your memory errors.

With your windows CD in hand, go to the Start->Run and type in:

sfc /scannow

Click Ok then the Windows File Protection scan will start running. follow the onscreen prompts if files are missing it will prompt you to put in the CD to replace them.

Let me know what happens.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#24 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 11 July 2007 - 01:16 AM

As slow and painful as that was, I did it twice. The second time it was still asking for the CD (assuming it only asks for the CD when it needs to replace a file, which one would think it replaced them all the first go around?)

The progress window just disappeared when it was done, and after waiting a few minutes, I decided to reboot after each scan, but still had the errors come up.

#25 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 12 July 2007 - 09:03 PM

Question...

If you go to Start->Control Panel->Automatic Updates, and Turn off Automatic Update, then click Apply, and OK, then restart. Do you still get the memory errors?
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#26 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 13 July 2007 - 12:26 AM

My Automatic Updates for Windows are off, so I don't get the error when I boot up as far as Windows Update is concerned, but I still am getting it for "ManifestEngine" and "WgaTray". Even when I try to manually update Windows, I get the error messages and can't update Windows at all. Windows Update downloads the file to about 19% say, then I get the error, but the file is still downloading if I don't click Ok, but stalls at what looks like 100%, and when I finally can't wait anymore, and click OK, it tells me the update failed.
I still get the message when I try to open Windows Explorer. I also still get the error when I close programs, which is odd to me, because I just closed the program, but Windows is telling me it crashed(?).

#27 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 15 July 2007 - 05:20 PM

Since you seem to be pretty good at troubleshooting lets try something and see if we can not find the problem. You may want to print out this section since you will be rebooting a lot.

Go to Start->Run, and type msconfig, and click ok. Choose Selective Startup and uncheck all 4 items that have a check box, click Apply then Ok, and restart. See if you get any memory errors, if so then go back into msconfig and choose Normal Startup, Apply, then Ok and restart and tell me.

If you do not get any errors, then go back into msconfig and check Process SYSTEM.INI File, Apply and reboot, see if you get errors, if so set it to Normal Startup and let me know.

If you do not get any errors, then repeat the same procedure above with WIN.INI, then with System Services, then finally with Startup Items. Let me know at which point the errors reappear.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#28 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 16 July 2007 - 12:12 PM

Sorry for the late reply.

I ran msconfig, then deselected everything you suggested. I got no errors on bootup, as neither of the devices associated with the errors was loaded, so I defaulted to what I know causes the error, and tried to open Windows Explorer, and got the error. I continued with the rest of what you suggested anyway, and every time I got the error when I opened Windows Explorer.
One thing I noticed each time I rebooted, if I deselected "Load Startup Items", it always came back with a greyed out check mark in the box when the computer restarted. The last time, when I hade SYSTEM.INI, WIN.INI and Syestem Services checked only, upon reboot, there was a green box in the Load Startup Files check box.
Maybe I'll try to put the "My Computer" Icon back on my desktop and see if I get the error from that too.

#29 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 16 July 2007 - 11:03 PM

If you had the greyed out it startup items is sounds like normal startup was selected.

I was trying to see if another driver or startup item is actually causing a problem other than the two we already know have problems. By turning the ones we know have problems back on 1st might defeat the purpose, unless you turned everything else off and just turned those two on and did not get the error message, that might be significant. I figured you would just open any of the other programs that crashed when you closed it and see if you still get the error message.

Greenbox means some startup items are disabled, but not all.

Question....

During the brief period when you had Panda uninstalled, do you remember getting any of the memory errors?
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#30 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 17 July 2007 - 12:11 AM

I redid msconfig just to make sure I hadn't selected Normal Startup, and when I unchecked everything in Selective Startup, it jumped up to Diagnostic Startup, so I selected Selective Startup again, and made sure everything was unchecked, then rebooted. When the system came back online, the Startup Items was greyed out and checked again.
I also don't recall offhand what happened with Panda uninstalled, so I uninstalled it again, and still got the errors.
Is there a way to see when programs had been installed? This problem started about 2 months ago, so I wouldn't mind seeing if there's a way to see what I might have installed then that might have caused the problem.
I sure hope it isn't my motherboard too, that would suck.

#31 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 17 July 2007 - 12:26 AM

Study the combofix log it gives us some clues of what has been installed since April if you think you have the date narrowed down and want to know what something or a group of things are let me know. Look at both the top part and the find 3m report.

For example I know from this line

2007-05-14 18:40:54 -------- d-----w C:\Program Files\ATI Technologies

That on 5/14 you updated or installed what is most likely a video driver.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#32 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 18 July 2007 - 11:32 AM

I tried that, but didn't see anything out of the ordinary. Oh well...I'm stumped.

#33 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 20 July 2007 - 07:49 PM

Sorry for the delay,

For some reason I did not receive notification of your reply.

You might try this it has been known to fix some of these more obscure problems. If you use it I would click the double checkmark and have it check everything, but I am guessing it might be an IE or Explorer problem since it seems to be so widespread.

http://wiki.djlizard.net/Dial-a-fix

Let me know what happens.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#34 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 21 July 2007 - 04:32 PM

I have the same problem, not getting email notifications of replies.

Anyway, I downloaded Dial-A-Fix but it seems to hang up at a certain point, so I posted in the support forums about it and am awaiting a response from there :-)

http://www.lunarsoft...?showtopic=2171 is the Topic Forum

#35 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 22 July 2007 - 07:16 AM

It looks like they have replied at Lunarsoft. Let me know what what happens.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#36 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 24 July 2007 - 01:22 AM

Hi, sorry for the long delay.

I went through all of the procedures at Lunarsoft, which took forever hehehe and they asked me to post another HijackThis log...

http://www.lunarsoft...?showtopic=2172

is where it is if you'd like to see it ;-)

#37 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 24 July 2007 - 11:33 PM

After all that, I finally got Dial-A-Fix to run, but it didn't help with the errors unfortunately :(

#38 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 26 July 2007 - 01:55 AM

I uninstalled IE7.... :hmmm:

no more errors ...

Thank you for all your time and help, it is very much appreciated. ^_^

#39 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 26 July 2007 - 10:35 PM

Your Welcome.

Interesting... did you originally install IE7 from Microsoft's website or somewhere else like yahoo? Have you tried to see if the errors reoccur if you reinstall IE7? I am just curious and wondering if it was corrupt or if something was conflicting, do not feel you need to reinstall it just to satisfy my curiosity. I am glad your computer is running better.

I just reviewed the lunarsoft thread. It bothers me that the vundo files and settings we had removed came back. Keep an eye on your HijackThis file for a while and make sure they do not reappear.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#40 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 26 July 2007 - 11:13 PM

I was considering reinstalling IE7 also, but might wait a bit as these error-free times are very enjoyable :thumbup:

I'm suspicious of the Uniblue Registry Booster for bringing back the Vundo files actually. I had reinstalled it to try to get it to show up in Control Panel>Add/Remove programs, and those files were back in the HijackThis log. Might just be coincidence, but I'm not going to reinstall that program.

I'm pretty sure I would have got IE7 through Microsoft, either during a Windows Update, or for some other reason I was using IE6 and it suggested I upgrade.

#41 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 26 July 2007 - 11:23 PM

I was considering reinstalling IE7 also, but might wait a bit as these error-free times are very enjoyable :thumbup:

I heard that.

I'm suspicious of the Uniblue Registry Booster for bringing back the Vundo files actually. I had reinstalled it to try to get it to show up in Control Panel>Add/Remove programs, and those files were back in the HijackThis log. Might just be coincidence, but I'm not going to reinstall that program.

I would not reinstall it either, and I would probably check my HijackThis log every day or so for a week or two just to make sure it stays gone.

I'm pretty sure I would have got IE7 through Microsoft, either during a Windows Update, or for some other reason I was using IE6 and it suggested I upgrade.

Ok I have seen slightly more corrupted installs if they come from places other than Microsoft, but IE can corrupt for any number of reasons. It is possible that the infection broke it.

I will leave this thread open for about a week, let me know if you have any other problems that surface in the meantime.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#42 Squidolin

Squidolin

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 28 July 2007 - 12:41 AM

Hmmm..I reinstalled IE7 (through Windows Update) because I have some other stuff that isn't working right, and when you uninstall IE7, a window pops up that lists a bunch of programs that might not run right if IE7 is uninstalled. Anyway, I installed it anyway, the good news, no errors like before, the bad news, I lost the XP theme again, but only after the Security Update, and the Cumulative Security Update through WIndows Update :hmmm:
Going to find that link again and see if I can fix it, and see if I can get these other programs to run right. (i.e. can't install anything from Adobe, Flash CS3 or Illustrator CS3)


**Edit**

Got Luna Theme back, but still can't install Adobe stuff, guess I'll try to get a hold of them.

Edited by Squidolin, 28 July 2007 - 01:08 AM.


#43 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 28 July 2007 - 11:07 AM

For the other stuff that said it might not run right if IE7 is uninstalled. I would try uninstalling and reinstalling them. They were probably hooked into your original IE7 install.

Let me know what happens.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#44 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 24 August 2007 - 09:19 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button